[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heartbeats (summary of responses)




>>>>> "Slava" == Slava Kavsan <bkavsan@ire-ma.com> writes:
    Slava> If you talking about deleting _unexpired_ IKE SAs when there is a
    Slava> quiet period as far as heartbeats - and then you re-negotiate it
    Slava> when there is a need for a heartbeat - I see at least two problems
    Slava> with it: 1) possibility of re-negotiating IKE SAs more frequently
    Slava> than their expiration time - i.e. if IKE SA set to expire in 4
    Slava> hours - you may end up re-negotiating it every hour (just a

  If the user goes away, the odds are that they will come back with a
different IP address, so you have to renegotiate anyway. The heartbeat
permits one to identify unused SAs. If you want to expire them, fine. I think 
that I would simply unload them into some secondary storage if available if
the primary got short of space. 
  The point of heartbeats is to permit gateways to identify clients who
disconnected by unplugging the modem. Now, if you keep the phase 1 SA around,
you might permit a user to rekey from a different IP address, but I don't
think that it would be interoperable.

    Slava> But if you talking about keeping IKE SA till it _expires_ and do
    Slava> not re-negotiate it until you need it again - I would agree with
    Slava> you.

  If you can afford to keep all SAs until they expire, then you should do so, period.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


References: